Arcosa, Inc. - (ACA)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy.
Arcosa continues to make cybersecurity a priority as the threat landscape evolves and becomes increasingly complex and sophisticated.
Managing Material Risks & Integrated Overall Risk Management
Arcosa has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cyber risk awareness. Arcosa's Chief Information Security Officer ("CIO") and Director of Information Security work closely with the IT department to continuously evaluate and address cybersecurity risks in alignment with business objectives, operational needs, and industry-accepted standards, such as the CIS Critical Security Controls and National Institute of Standards and Technology ("NIST") frameworks.
The Company has processes and procedures in place to monitor the prevention, detection, mitigation, and remediation of cybersecurity risks. These include but are not limited to:
•Maintaining a defined and practiced incident response plan;
•Maintaining cyber insurance coverage;
•Employing appropriate incident prevention and detection software, such as antivirus, anti-malware, firewall, endpoint detection, and identity and access management;
•Maintaining a defined disaster recovery policy and employing backup/disaster recovery software, where appropriate;
•Educating, training, and testing employees on information security practices and identification of potential cybersecurity risks and threats;
•Ensuring familiarity and compliance with cybersecurity frameworks where appropriate; and
•Reviewing and evaluating new developments in the cyber threat landscape.
Engaging Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity risk, the Company engages with a range of external experts, including cybersecurity consultants, in evaluating, monitoring, and testing Arcosa's cyber management systems and related cyber risks. The Company's collaboration with these third parties includes audits, threat and vulnerability assessments, incident response plan testing, company-wide monitoring of cybersecurity risks, and consultation on security enhancements.
Managing Third Party Risk
Arcosa recognizes the risks associated with the use of vendors, service providers, and other third parties that provide information system services, process information on its behalf, or have access to its information systems, and Arcosa has processes in place to oversee and manage these risks. In addition to the minimum security and control standards, these processes include other quality control measures, such as utilizing a third-party security scoring system to evaluate the security posture of current and potential parties. Arcosa also maintains ongoing monitoring to support continuous compliance with its cybersecurity standards.
Risks from Cybersecurity Incidents
Arcosa has not been subject to cybersecurity incidents that have materially affected, or are reasonably likely to materially affect the Company, its operations, or financial standing.
29
Governance
Risk Management Personnel
Arcosa's cybersecurity risk management program is overseen by management at multiple levels. The CIO and Director of Information Security play key roles in assessing, monitoring, and managing the Company's cybersecurity risks with support of dedicated information technology and security personnel. Both the CIO and Director of Information Security have been in their respective roles at Arcosa for 5 years. The CIO has over 40 years of leadership positions in the high tech and IT industries. He is experienced in detailed product and solution development as well as business process operations providing an understanding of how cybersecurity considerations intersect the business. The Director of Information Security and Compliance at Arcosa has more than 20 years of experience architecting, designing, and deploying security solutions based on industrial frameworks.
Monitor Cybersecurity Incidents
The CIO and Director of Information Security are continually informed and updated about the latest developments in cybersecurity, including emerging threats and innovative risk management techniques. They implement and oversee processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Company is equipped with a defined and practiced incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Board of Director Oversight
The Audit Committee of the Company's Board of Directors is responsible for overseeing the Company's cyber risk. The CIO and other experts, as necessary provide the Audit Committee quarterly updates that encompass a broad range of topics, including but not limited to:
•Current cybersecurity threat landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from unique cybersecurity events, including those of other companies;
•Compliance status and efforts with regulatory requirements and industry standards; and
•Benchmarked data on the performance of certain aspects of our cybersecurity program relative to our peers.
In addition, the CIO provides updates to the full Board upon request or to update the Board of unique developments, such as regulatory updates or unique vulnerability developments. Our Board is composed of members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.